What is the best way to pass criteria without using get

[paulonline2501]

hi,

 

so my problem is:

 

i have a web page that produces a list [ul].

the list is the list of ftp sites that belong to a specific user in the database

 

 

example:

select * from user_ftps where user_id = 'x'

great! that works fine.

 

in this case i get three sites back belonging to the user. perfect.

 

i also put a hyper link with a 'get' in the output so the user can click edit and edit the site they want.

 

like so:

if (mysql_num_rows($result) > 0) {       while(list($db_id, $db_user_id, $db_name) = mysql_fetch_row($result))	{         		echo "<li>$db_name [<a href="ftps/edit?id=$db_id">edit</a>]</li>";	}     }

the problem is, using this method the user can alter the id in the url to the number of another user and see all their ftp sites.

 

"Use Post with a hidden value" i hear you say. but if i do that i'll need to create a button for each 'edit' link. i think.

 

not really a problem i surpose. but i want to know if there is a better way i can do this or if i'm just approching this in the wrong way and should be using a different method.

 

 

regards,

 

paul

Edited July 17, 2013 by as_bold_as_love

[justsomeguy]

The three ways to pass data are through post, get, and cookies. If you don't want to show the ID then you can encrypt it and then decrypt it to figure out what they clicked on.

[paulonline2501]

ok, thanks.

 

i guess then what i will do is for each result that is return from the database i will put a form in the <li> with a hidden field and just a submit button.

 

....actually that wont be good either because the id will be visable in the html....

 

....i know what ill do. ill use 'get' [this will mean i dont have to use a lot of buttons/forms] and ill pass a token compraising user_id, ftp_id, and a random generated string [possibly encrypted]. then other users wont be able to tamper with the url.

 

does that sound ok? can you think of any improvements???

[thescientist]

why not SESSION? This way you can use POST, and check to make sure the user is also logged in.

[paulonline2501]

hi thescientist,

 

im not sure what you mean?

 

i do have various SESSION variables that i set when the user logs in etc.

one of which is the SESSION[id] which i use in the SQL to work out which of the user_ftps is associate to the user.

select *from user_ftpswhere id = session[id]

but how does this help me in terms of creating a link to the edit page with the id of the ftp i want to edit?

[justsomeguy]

Just out of curiosity, why is it bad if they change the ID in the URL?

[paulonline2501]

The problem is that it is the id of an FTP. There are numerous users all with there own FTPs. Therefore it would be a easy for a user to change the URL to the id of an FTP that doesn't belong to them and see the details. This most be a very common issue. You have items in your database. You have a page that shows the details of this item using a parameter such as id to indicate the specific item. And the need to restrict viewing access based on the user having ownership of the item.

[paulonline2501]

Actual thescientist I see what you mean now. I can simply say something like Select * from user_ftps where id = $_get[id]and user_id = SESSION[user_id]So simply when u think about it.Thanks a lot both of you

Edited July 18, 2013 by as_bold_as_love

[justsomeguy]

 

 

Therefore it would be a easy for a user to change the URL to the id of an FTP that doesn't belong to them and see the details.

You're trying to solve that problem the wrong way. Security has 2 major issues: authentication, and authorization, and you need both. Right now you have authentication, but you don't have authorization. Authentication means logging in, that's when a user enters their username and password and they authenticate themselves with your site, now your site knows who they are. Authorization is making sure that a given authenticated user is only allowed to do the things that the user has permission for. Your page that displays the FTP site or whatever needs to get the FTP ID, get the user ID, and authorize that user to access that FTP. Then it doesn't matter what ID they put in, if they don't have permission then they get an error message.

 

This happens more often than you would think, where people implement authentication only and think that's enough. There was a story a year or so ago where that issue was found on a major bank site. Someone logged in and noticed that the URL had their credit card number in it, so they changed the number and, sure enough, it pulled up the details for that account without bothering to check if the user had permission. The fix is not to hide or encrypt the ID, the fix is to add authorization checking.

[paulonline2501]

Yeah thanks justseguy.As you said, I already have a login. This sets SESSION variables to logged in and sets the user id - I didn't really mention it before because its so obvious to me. I think this with the SQL check that I posted previously ill be able to check as you have just suggested. I think I'll go a step further and instead of using the id ill set up a token comprising id, ftp_id and random string and use that in the 'get'. That would add a level of complexity that would mean guessing the URL would be time consuming and a SESSION hack would have to be done.

[justsomeguy]

I don't even worry about trying to hide the ID, I just always check if the given user has permission to access the given item. A permission system for most applications is as necessary as a login system. Security requires both authentication and authorization, those aren't optional.